[Openswan Users] CheckPoint Firewall Hybrid Mode

mei04014 at fe.up.pt mei04014 at fe.up.pt
Mon Jul 4 15:58:36 CEST 2005


Thanks for your reply, but i don't quite understand you...

I'm trying to make a tunnel between my linux box and a Checkpoint Firewall,
using hybrid method.

The way hybrid method works, as far as i understood it, is:
-A phase 1 exchange authenticates the firewal using RSA
-after that, a Transaction Exchange is initiated by the firewall, protected by
the IKE SA negotiated in phase 1. and where the user is authenticated.
-upon sucessfull completion of the exchange the IKE SA can be used for other
purposes, like Quick mode...

What i qould like to know, and if possible get an example, is if an openswan
linux client supports this kind of assymetric authentication...

Manuel Gomes

Quoting Michael Schwartzkopff <misch at multinet.de>:

> Am Montag, 4. Juli 2005 12:23 schrieb Manuel Mesquita T. F. Gomes:
>> Hi,
>> can anyone please tell me if openSwan supports interoperability with a
>> Checkpoint Firewall configured in hybrid mode?
>> The firewall uses RSA signature for its authentication and then expects
>> a username/password from the user to authenticate against a RADIUS
>> server.
>> Is there anyway to make a IPSec tunnel work in linux in this situation?
>> Or will I have to continue using Checkpoint's client software on
>> Windows?
>> I'd appreciate any answer at all, just to know if it is possible and i
>> should keep trying or it is impossible and i can stop trying.
>> Thanks and kind regards,
>> Manuel Gomes
> Hi,
> as far as I understood the hybrid mode in VPN-1 the Checkpoint Firewall
> accepts both. Well, I I still can remember we configured this. And it is
> working. Just username/pw fpr the tunnel.
> --
> Dr. Michael Schwartzkopff
> MultiNET Services GmbH
> Bretonischer Ring 7
> 85630 Grasbrunn
> Tel: (+49 89) 456 911 - 0
> Fax: (+49 89) 456 911 - 21
> mob: (+49 174) 343 28 75
> PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
> Skype: misch42

More information about the Users mailing list